AWS → GCP Service Mapping: Practical Notes for Engineering-Driven Cloud Migration
Careless 1:1 cloud service mapping creates more operational headaches than most engineers realize. That EC2 instance running fine on AWS? Onboarding it to GCP Compute Engine is the easy part—the nuances in IAM, networking, storage semantics, and pricing structure are what surface weeks later in incident reviews.
Mapping Core Building Blocks
Practical engineers ask: What, precisely, breaks—or gets better—when workload X moves from AWS to GCP? Below, a concise but granular mapping by major service area, with hard-won caveats.
Compute & Containers
| AWS Service | GCP Equivalent | Operational Caveats |
|---|---|---|
| EC2 | Compute Engine | Different machine families (N2, E2, etc.), custom VM shapes in GCP; sustained use discounts not the same as AWS reserved instances. Preemptibles ≈ spot, but eviction behaviors diverge. |
| ECS | GKE, Cloud Run | ECS to GKE is direct if you’re on Kubernetes. For ECS/Fargate, Cloud Run abstracts infra further, but lacks full shell access, and startup latency can catch legacy tasks. |
| EKS | GKE | Both CNCF conformant, but IAM integration is different (AWS IAM ≠ GCP IAM), require refactoring RBAC. GKE Autopilot adds a twist (per-pod billings). |
| Lambda | Cloud Functions | Cold start profiles, supported runtimes, and resource limits differ. Lambda event source ecosystem is larger. |
Known issue: Migrating high-churn workloads (e.g. scale-to-zero microservices) from Lambda to Cloud Functions? Expect different timeout/default concurrency limits—test for tail latency.
Networking
| AWS | GCP VPC Equiv | Notable Differences |
|---|---|---|
| VPC | VPC | Subnet creation: AWS uses regional; GCP prefers global VPC, regional subnets. Firewall rules default open in GCP; close by default in AWS. |
| ELB/ALB/NLB | Load Balancer (HTTP(S)/TCP/UDP/SSL) | GCP L7 LB is global by default, DNS-based. AWS separates types; avoid assuming sticky sessions work the same. |
| Direct Connect | Dedicated Interconnect | GCP requires minimum 10Gbps link. BGP config differs. Check for availability at your colocation site. |
# Quick subnetting mismatch example
# AWS: 10.0.0.0/16 (Region), subnets 10.0.1.0/24, 10.0.2.0/24
# GCP: One VPC (global), subnets 10.1.0.0/20 (us-central1), 10.2.0.0/20 (europe-west1)
Storage & Databases
| AWS | GCP Equivalent | Details & Gotchas |
|---|---|---|
| S3 | Cloud Storage | Lifecycle rules, storage classes don’t line up 1:1. S3 Select ≠ GCP’s equivalent. Watch for API surface mismatches (e.g. S3's strong read-after-write consistency took years to catch up). |
| EBS | Persistent Disk | Native snapshots in both, but GCP’s regional disk operates differently. Performance tuning requires reviewing pd-ssd vs pd-balanced rather than AWS’s gp3/io1 tiers. |
| RDS (MySQL/Postgres) | Cloud SQL | Maintenance windows, failover timing, and major version support may lag AWS by quarters. Small but important: Cloud SQL proxy is often needed for secure connections in CI/CD. |
| DynamoDB | Bigtable, Firestore | No direct equivalent: large tabular, OLAP-type—use Bigtable (google-cloud-bigtable SDK); flexible documents—Firestore Native mode. Indexing, consistency, and TTL logic differ. |
| ElastiCache | Memorystore | Managed Redis/Memcached supported, but Redis versions lag behind AWS. Some Redis command sets in ElastiCache aren’t available. |
Real-world trade-off: High-throughput, low-latency table from DynamoDB? In GCP, Bigtable scales but is tuned for wide-column workloads; Firestore supports richer documents but may not deliver the same deterministic performance at scale.
Analytics, Streaming, & ML
| AWS | GCP Equivalent | Caveats |
|---|---|---|
| Redshift | BigQuery | BigQuery is serverless and priced by scanned bytes, not node-hours. Some complex joins may need rewrite due to strict SQL dialect. No BYON (bring your own node). |
| Glue Jobs | Dataflow | Glue—Spark based; Dataflow—Apache Beam. Direct port needs code refactor (beam transforms). |
| Kinesis | Pub/Sub, Dataflow | Cloud Pub/Sub for event ingestion; couple with Dataflow for ETL. Kinesis Data Streams = Pub/Sub; Firehose = Dataflow. Delivery lag and ordering guarantees are not strictly identical. |
| SageMaker | Vertex AI | Both offer managed notebooks, training, hyperparameter tuning. AutoML API differences, and pricing granularity (training, batch prediction) changes. |
Tip: When porting analytics, run cost simulations. An unoptimized BigQuery query can burn through budget in minutes—add --max_bytes_billed limits.
Security & Identity
| AWS | GCP Equivalent | Migration Notes |
|---|---|---|
| IAM | Cloud IAM | AWS’s policy documents differ from GCP IAM’s role bindings. Bulk import requires scripting (gcloud iam roles copy) and manual validate. |
| KMS | Cloud KMS | Envelope encryption flows similar, but Cloud KMS key versioning and access audit logs are different. Test rotation. |
| Shield / WAF | Cloud Armor, Security Command Center | WAF rules syntax and integration points differ; Cloud Armor pre-integrates with global HTTP(S) LB. Shield can’t be mapped 1:1. |
Note: Google projects are rigid in structure—one resource belongs to one project. Multi-tenancy models often require rethinking.
Practical Example: ECS Fargate → GKE Autopilot
Scenario: Migrating microservices stack from ECS Fargate (CPU: 512m, Mem: 1GB, 50 services, Spot-backed tasks)
Approach:
- Provision GKE Autopilot (master version
1.27) - Use Helm v3 to deploy manifest set
- Set Pod specs:
resources: requests: cpu: 500m memory: 1Gi limits: cpu: 1000m memory: 2Gi nodeSelector: cloud.google.com/gke-nodepool: default-pool - Replace S3 backend with Cloud Storage, update
gsutilscripts - IAM: Rewrite role bindings in
cloud-iam.yaml—rungcloud projects add-iam-policy-binding.
Result: Equivalent performance, but startup times crept up for a few services due to GCP’s default networking policies—solved by tuning network tags and firewall rules.
Non-Obvious Migration Pitfalls
- Billing visibility: GCP’s cost breakdown granularity differs, especially for managed services. Use Budgets and Alerts, but don’t assume they’re as fine-grained as AWS Cost Explorer out-of-the-box.
- Tagging: GCP labels are more restricted than AWS tags (no nested/structured keys or characters like
/). May affect cost allocation in large orgs. - Image registries: ECR ≠ Artifact Registry. Artifact Registry supports Docker/OCI, but CLI usage (
gcloud artifacts) is different—training needed. - Service limits: Default quotas and API rate limits can be lower in GCP (hit 50-node GKE cluster cap sooner than expected).
Migration Checklist
- Inventory current services — scriptable via AWS CLI.
- Dependency map — network, IAM, secrets, and data paths.
- Prototype critical path workloads on GCP (sandbox project).
- Optimize after parity, not during migration: tune auto-scaling and storage class post-launch.
Spot something broken post-cutover? GCP’s logging (Stackdriver/Cloud Logging) indexes differently from CloudWatch. Pattern:
resource.type="k8s_container"
jsonPayload.message~"ERROR"
Test your monitoring pipelines before the big switch.
Closing Thought:
Direct lift-and-shift rarely yields optimal results—mapping AWS services to GCP equivalents is a start, but tuning for workload semantics and operational quirks is what keeps incidents off the PagerDuty rotation. Not every AWS feature has a GCP twin; sometimes, the right move is refactor—not just remap.